[PATCH net 4/4] netlabel: validate CIPSO option against skb tail in netlbl_skbuff_getattr
Qi Tang
tpluszz77 at gmail.com
Fri May 15 02:42:33 UTC 2026
Agreed on the return value, same reasoning as on 3/4: a length
mismatch here means post-parse mutation, and the unlabeled
fallback is the wrong default for that. v2 returns -EINVAL on
all three CIPSO bounds checks.
The 8 is the offset of the first tag's length byte. CIPSO option
header is type(1) + length(1) + DOI(4) = 6, plus the first tag
header type(1) + length(1) = 2. We need ptr+8 readable before
dereferencing ptr[7]. v2 will document this inline, and use
CIPSO_V4_HDR_LEN if it's exposed in the header.
Qi
More information about the Linux-security-module-archive
mailing list